Business Implications of the
President’s Review Group
Peter Swire
Huang Professor of Law and Ethics
Scheller College of Business
Georgia Institute of Technology
Preface
 Thank you for welcoming me to Scheller
 A law professor, with business as well:
 IT/privacy/cybersecurity
 Housing finance & health care, including in
government
 Taught corporations, torts, antitrust, law & economics
 Grew up in a family business and had real law clients
 Look forward to getting to know more of you
Overview of the Talk
 Intro to Review Group
 Five business issues:
 Business & economics issues into the IC calculus
 US-based global businesses affected by IC decisions
 Lean toward defense in cyber-security
 Support better Internet governance
 Upgrade against insider attacks
 Two themes:
 Same Internet for multiple purposes
 Declining half life of secrets
Creation of the Review Group
 Snowden leaks of 215 and Prism in June, 2013
 August – Review Group
 5 members




Diversity of backgrounds
Technology
Business
Insider status
Our assigned task
 Protect national security
 Advance our foreign policy, including economic
effects
 Protect privacy and civil liberties
 Maintain the public trust
 Reduce the risk of unauthorized disclosure
Our assigned task (2)
 Protect national security
 Advance our foreign policy, including economic
effects
 Protect privacy and civil liberties
 Maintain the public trust
 Reduce the risk of unauthorized disclosure
 Q: A simple task for operations research
maximization?
 Focus today: implications for business/econ
Our Report
 Meetings, briefings, public comments
 300+ pages in December
 46 recommendations
 Section 215 database “not essential” to stopping any
attack; recommend government not hold phone
records
 Pres. Obama speech January
 Adopt 70% in letter or spirit
 Additional recommendations under study
 Organizational changes to NSA not adopted
Issue 1: Foreign Affairs/Economics
 Major theme of the report is that we face multiple risks,
not just national security risks
 Effects on allies, foreign affairs
 Risks to privacy & civil liberties
 Risks to economic growth & business
 Historically, intelligence community is heavily walled off,
to maintain secrecy
 NSA especially, signals intelligence, secret and
dauntingly complex
 Now, convergence of civilian and military/intelligence
communications devices, software & networks
 Q: How respond to the multiple risks?
Addressing Multiple Risks
 RG Recs 16 & 17:
 New process & WH staff to review sensitive
intelligence collection in advance
 Senior policymakers from the economic agencies
(NEC, Commerce, USTR) should participate
 Monitoring to ensure compliance with policy
 RG Rec 19: New process for surveillance of foreign
leaders
 Relations with allies, with economic and other
implications, if this surveillance becomes public
Issue 2: US-Based Cloud Companies in a
Global Market
 The issue: effects on US-based cloud industry
 Understanding contrasting perspectives of IC and the IT
industry
 Intelligence community perspective:
 Snowden a criminal; 0% say whistleblower
 Substantial assistance to adversaries by ongoing
revelations of sources & methods
 E.g., reports on techniques for entering into “airgapped” computer systems
 IC Tradition of expecting secrecy over long time scale, so
details of intelligence activities rarely disclosed and harms
from disclosures rarely experienced
Tech Industry Perspective
 Tech industry perspective:
 Silicon Valley – 90% say whistleblower
 Snowden has informed us about Internet realities
 Tech industry libertarianism: “information wants to be
free” and suspicion of government & secrecy
 Anger at undermining encryption standards
 More anger for stories that leased lines for Yahoo and
Google servers were tapped
 Microsoft GC: the US Government as an
“advanced persistent threat”
What is at Stake for the IT Industry
 Biggest focus on public cloud computing market
 Double in size 2012-2016
 Initial study estimated losses from Snowden at $21.5
billion/year
 Cloud Security Alliance estimates up to $180
billion/year by 2016 – biggest effect from lower
market share for new business
 An opening for non-U.S. providers
 Market currently dominated by US companies
 Deutsche Telecomm and others: “Don’t put your
data in the hands of the NSA and US providers”
The IT Industry Response
 Focus of industry response: more transparency
 Regular transparency reports already
 One goal already had been to boost consumer
confidence, especially overseas, such as for
previous Patriot Act accusations
 Lawsuit and lobbying to expand these reports
 Industry opposition to non-disclosure (gag) orders
for National Security Letters, etc.
 Yahoo 2009 lost one then-secret challenge
Moving to More Transparency
 RG Rec 9: OK to reveal number of orders, number they
have complied with, information produced, and number
for each legal authority (215, 702, NSL, etc.), unless
compelling national security showing
 RG Rec 31: US should advocate to ensure transparency
for requests by other governments
 Put more focus on actions of other governments
 DOJ agreement with companies in January
 More transparency, but not listed by legal authority
 Ongoing debate, but companies want to stress this
issue, to send message of security and public trust
Issue 3: Offense v. Defense for Cybersecurity
 The issue of trading off offense & defense:
 NSA/IC offensive missions
 Foreign intelligence surveillance
 Title 10 – military authorities
 US Cyber Command
 NSA/IC defensive missions
 Information Assurance Directorate of NSA
 Protect government systems
 Counter-intelligence
 We use precisely one communications infrastructure
for both offense and defense
Conflict between Offense & Defense Has
Increased
(1) Before: separate communications system behind the
Iron Curtain; nation-state actors
Now: same Internet for civilians, terrorists & military
(2) Before: military protected its communication security
within the chain of command
Now: critical infrastructure largely civilian; tips to defense
get known to attackers
(3) Before: episodic flares of military action
Now: daily & hourly cyber-attacks, to businesses and
others, right here at home
Institutional Changes for Defense
 RG Rec 24: split leadership of NSA and DoD’s Cyber
Command
 RG Rec 25: split Information Assurance Directorate of
NSA into separate agency
 Would put leadership on the side of defense
 Asymmetric incentives in agency between offense
and defense
 These recommendations will not be adopted now, for
plausible factual reasons
Strong Crypto for Defense
 Crypto Wars of the 1990’s showed NSA & FBI interest in
breaking encryption (offense)
 1999 policy shift to permit export globally of strong
encryption, necessary for Internet (defense)
 Press reports of recent NSA actions to undermine
encryption standards & break encryption
 RG Rec 29: support strong crypto standards and
software; secure communications a priority; don’t push
vendors to have back doors (defense)
 No announcement yet on this recommendation – it is a
tech industry priority
Zero Days & the Equities Process
 A “zero day” exploit means previously unused
vulnerability, where defenders have had zero days to
respond
 Press reports of USG stockpiling zero days, for
intelligence & military use
 RG Rec 30: Lean to defense. New WH equities process
to ensure vulnerabilities are blocked for USG and private
networks. Exception if inter-agency process finds a
priority to retain the zero day as secret.
 Software vendors and owners of corporate systems have
strong interest in good defense
 No announcement yet on this recommendation
Issue 4: Internet Governance
 The issue: Snowden becomes a huge talking point
against the US approach to Internet governance.
Potential harms to business, including US-based
business.
 Bottom-up vs. top-down Internet governance?
 Localization rules – split the Internet?
 Confidence (re)building and fostering international norms
International Telecommunications Union
 US & US industry position: Internet governance as
bottom-up, tech-based, multi-stakeholder process.
Outputs: innovation, growth, Internet freedom,
democracy.
 Russia & China: push for major ITU role. Governance
by governments. Respect local norms (called “cybersecurity” but meaning “censorship”). Oppose “chaos” of
current approach.
 Swing votes at the ITU: medium-sized economies pay
more for Internet service than rich countries, lose interconnection fees, don’t know how to have a voice in W3C
& IETF.
How to Bolster Multi-stakeholder
 US Internet Freedom agenda – secure communications
by dissenters, democratic freedom, human rights.
 Russia & China: Snowden shows US hypocrisy.
 Response: legal checks & balances in US; First
Amendment; emphatically not used for political
repression
 RG Rec 32: senior State Department official on these
issues
 RG Rec 33: support multi-stakeholder approach
 Many RG recs: reinforce privacy & civil liberties &
oversight in foreign surveillance
 PPD-28: extend protections to non-US persons
Localization Proposals
 Brazil, Vietnam, Indonesia proposals to require storage
locally
 EU proposals to restrict data transfers to US; using TTIP & Safe Harbor as bargaining chips for less US
surveillance
 RG: emphasize economic & other harms from
localization/”splinternet”
 Strengthen relations with allies
 RG Rec 31: build international norm against localization
 RG Rec 34: streamline multi-lateral assistance treaties
(MLATs), so no need to hold data there, can get it in US
Issue 5: Insider Threats
 The issue: if Snowden can happen to the NSA, is your
company more secure than that?
 Many RG recs to protect better against insider threats
 Theme: system administrator as important threat
 Snowden’s job was to move files
 He did that
 Response: separation of functions, reduce sys admin
privileges
 Theme: USG classified systems followed M&M model
 Response: new access controls, auditing, and other
measures within classified systems
 Similar threats to business systems
The Lessons for Business
 Business & economics issues into the IC
calculus
 US-based global businesses affected by IC
decisions
 Lean toward defense
 Support better Internet governance
 Upgrade against insider attacks
Broader themes: One Internet
 The same communications infrastructure for numerous
purposes – which should drive policy
 IC and police have seen it as a surveillance Internet,
after 9/11
 Business sees it as E-commerce, for internal
communications and to reach customers
 Individual users – social networks, email, online
shopping, much more
 Political speech – a global engine for democracy and
civil liberties
 Global business & others will have to decide how to help
build the Internet it wants
Theme: Declining Half Life of Secrets
 The IC assumption was that secrets lasted a long time,
such as 25-50 years
 My belief – the half life of secrets has declined sharply
 Electronic: “my goal is that leaks happen only by a
printer”
 No gatekeeper: Ellsberg needed NY Times; Manning
has Wikileaks
 Global dissemination: once it leaks, it’s gone
 Crowd-sourcing – hard to penetrate massive
networks at scale and not provide clues
 Civil disobedience by younger techies
Implications of Declining Half Life of
Secrets
 Previously, the IC often ignored the “front page test”
 Jack Nicholson & “you can’t handle the truth” in A
Few Good Men
 But, how many front page stories this year?
 Declining half life of secrets means higher expected
value of revelations – bigger negative effect if ignore the
front page test
 RG: effects on foreign affairs, economics, Internet
governance, so USG should consider these multiple
effects and not isolate IC decisions
 For business, how well can you keep secrets if the NSA
can’t?
Conclusion
 Pessimists inclined to think that nothing will change
 The RNC has endorsed ending 215 telephone
program, plus many Democrats
 Section 215 program quite possibly will end
 DOJ agreed to the transparency agreement
 EU privacy regulation seemed dead, but Snowdenrelated sentiments resulted this week in EU
Parliament 621-10 in favor
 We are in a period where change is possible here, even
in Congress
 I look forward to talking with you about what should
come next